How to make a strong password

Protect your personal information with a strong passphrase

Dealing with passwords is a fundamental part of life on the internet and interacting with 21st-century technology. Passwords protect everything from the mundane (our Spotify, YouTube, and Twitch accounts) to the vitally important (our PayPal, Amazon, and Venmo accounts) and everything in between. They are the keys to the digital locks on our online property and, as such, play an important role in protecting our lives from bad actors intent on stealing identities and wreaking havoc in general.

So, it’s vital that you are the only one who knows — or can guess — your passwords. But what makes for a good password? To understand that, you have to know a thing or two about how internet ne'er-do-wells crack passwords.

Brute-force attacks

In the parlance of digital security, repeatedly guessing a password is called a brute-force attack. The idea is simple: try every combination of letters and numbers until the right one is found. For a human, this kind of task would be boring, repetitive, prone to error, and time-intensive. For a computer, most of these problems become trivial.

According to NordPass, computers can guess between 10,000 (old school Pentium 100 MHz) and one billion passwords per second (supercomputer). Guessing a four-digit PIN number (10,000 possible PINs) would take a second in the worst case of the slowest computer not finding the correct PIN until the last check.

When it comes to alphanumeric passwords consisting of just lower case letters and numbers (36 possible characters) a six-character password (36⁶ possible character combinations) could be solved in 217,679 seconds (2.5 days) in the case of the Pentium, or in about 2 seconds in the case of the supercomputer. And remember, these numbers are the maximum time it would take to brute force the passwords. This is unacceptable from a security standpoint.

However, a complex password like "@ndroidPo1ice" is much harder to guess. It has eight characters, uppercase, lowercase, numbers, and symbols, so there are 94 possible characters available giving 94⁸ (over six quadrillion) password combinations. This level of complexity is sufficient for thwarting our low-powered computer which would take over 600 billion seconds (over 19,000 years) to brute force all the combinations, and it offers reasonable defense against our high-powered computer, which would take over six million seconds (70 days) to guess.

Dictionary attacks

These calculations are assuming the longest possible time with the computer only guessing correctly on the last possible permutation of characters. In reality, the average time it would take to guess a password would be about half of what’s stated above. Worse, people are awful at picking passwords, but it’s (mostly) not our fault. The problem is that the best passwords to thwart brute-force attacks are a random distribution of letters, numbers, and symbols. The easiest passwords to remember are made up of numbers and words that have some personal meaning. This opens us up to a new vulnerability: dictionary attacks.

This type of attack relies on the fact that most people use common words in their passwords, so instead of testing every combination of every possible character, an attacker can just test words known to be used in many passwords. What’s worse, given the plethora of data breaches in the past decade, attackers can find lists of hundreds of millions of passwords to test, a far cry from the six quadrillion possibilities in our previous example.

Password cracking

Another avenue for attack for hackers relies on the way online services store passwords. Companies don’t actually save a list of plain text passwords. Doing so would make user data far too vulnerable. Instead, they use a special type of encryption to store passwords. The idea is to make a function to easily convert a password into a new value such that it’s very difficult to determine the original value based on the converted value.

Ever since companies began using these algorithms, hackers have been hard at work finding ways to crack them. Some — like SHA-1 — have been so thoroughly compromised that a simple Google search of the converted value reveals the original password. Others can be cracked in a matter of hours with brute force just by renting some time on AWS.

With the proliferation of these types of attacks, a bad actor just needs the list of encrypted passwords and a bit of time to gain access to your accounts.

The solution

How can we be sure that no one can guess our passwords? A good rule of thumb is to look at modern password requirements from financial institutions. My bank, for instance, requires that my password be at least eight characters long, have one uppercase letter, one lowercase letter, one number, and one symbol: So the previous example of @ndroidPo1ice checks all the boxes.

The solution to all of these problems are longer, more complex passwords. But this introduces a new problem: most of us have dozens of accounts, and we can’t remember 50 different passwords for 50 different services. The best solution to this conundrum is a sort of compromise. When it comes to having different passwords for different websites, focus on the important ones that control access to your money (Amazon, PayPal, Venmo, bank accounts) and use a simpler password for your less vital accounts (Spotify, TikTok, Discord). This way, if your password is revealed in a data breach, it minimizes the risk to your most vital accounts.

As for creating a password that’s resistant to brute-force attacks, dictionary attacks, and cracking, focus on length over complexity. Potential passwords could be based on a meme (@11yourBase@reB310ng2us), a video game (theC@k3is@L13), or a book (itWasThe835tOf*itWasTheW0r5tOf*). But avoid personal information like birthdays, phone numbers, or nicknames since this kind of information can be found by scouring social media.

There's no need to remember all your passwords

If there’s no way you can keep all of these passwords straight, don’t stress. There are a number of services available to manage your passwords. Firefox and Chrome can even remember them for you. And for the love of all that is sacred, don’t be one of the 100 million people who use "123456" as their password.